Shortcuts

S.O.S - Calling all HTTPModule Security Experts!

I'm creating a multiple sign-on process using an HTTPModule so I need to be able to keep track of which steps (pages) in the sign-on process the users have successfully completed. That being said, I do have a descent understanding of how these modules work
as I've created one in the past to authenticate users from our legacy Cold Fusion apps to ASP.Net. Thus, it is my understanding that the HTTPContext.Current.Session object will not be available during the first call of OnAuthenticateRequest.

However, I was under the impression that after the first page loaded and was processed through the module, successful sign-on and all, the session would be available to that module for every request after that even within the OnAuthenticateRequest event.
Is that true?

The reason why I ask is because I would like to set session variables for each step in my sign-on process recording successful completions and then redirect accordingly. I'm finding though, that the session remains null every time. Would it be a good practice
to use the OnAcquireRequest state for every step after the first step was authenticated through OnAuthenticateRequest as an alternative?

Re: S.O.S - Calling all HTTPModule Security Experts!

The session is only available in an HttpModule between Application_AcquireRequestState and Application_ReleaseRequestState.
Prior to the AcquireRequestState, it is not available via HttpContext.Current.Session.
(However, in some instances it is available via the Context.Items collection prior to this event.. the first item in this list is the session object).